r/frigate-caddy: Deploy Caddy in front of Frigate

Deploying Caddy as a reverse proxy for Frigate enables HTTPS with a
certificate issued by the internal CA (via ACME) and authentication via
Authelia.

Separating the installation and base configuratieon of Caddy into its
own role will allow us to reuse that part for other sapplications that
use Caddy for similar reasons.

roles/frigate-caddy/defaults/main.yml

@@ -0,0 +1 @@
+frigate_caddy_server_name: frigate.{{ ansible_domain }}

roles/frigate-caddy/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy

roles/frigate-caddy/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: ensure caddy is configured to proxy for frigate
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config

roles/frigate-caddy/templates/Caddyfile.j2

@@ -0,0 +1,23 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ frigate_caddy_server_name }} {
+{% if frigate_caddy_forward_auth|d %}
+   forward_auth {{ frigate_caddy_forward_auth.url }} {
+       uri {{ frigate_caddy_forward_auth.path }}
+       header_up Host {upstream_hostport}
+
+       @unauthorized status 401
+       handle_response @unauthorized {
+           respond "" 301
+           header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
+        }
+    }
+
+{% endif %}
+    reverse_proxy localhost:5000
+{% if frigate_caddy_acme|d %}
+
+    tls {{ frigate_caddy_acme.email }} {
+        ca {{ frigate_caddy_acme.url }}
+    }
+{% endif %}
+}